SD-Access Wireless: why would you care? · AD LDAP MDM IPAM SW DMZ Internet Architecture Benefits:...
Transcript of SD-Access Wireless: why would you care? · AD LDAP MDM IPAM SW DMZ Internet Architecture Benefits:...
SD-Access Wireless:why would you care?
Traditional Campus
WLCDHCP
DNSNTPSMTP
AAAADLDAPMDM
IPAM
SWDMZInternet
Architecture Benefits:• Overlay: works on any wired network• Simplified Access switch configuration• Single point of Ingress for wireless traffic • Easy seamless mobility• Simplified IP addressing for wireless• Centralized Management• Easy wireless Guest tunneling solution
Customers may NOT like:• Limited scalability for East-West traffic• Separated policies for wired and
wireless • Different enforcement point for wired
and wireless• Lack of visibility between WLC and APs
SSIDEmployee
SSIDGuest
Packettowired
PolicyDefinitionEnforcementPointforWi-Ficlients
PolicyDefinitionandEnforcementPointfor
wiredclients
ClientkeepssameIPaddresswhileroaming
WLC
AP1
Switch1 Switch2
AnchorWLC
WirelessVLANsarecentrallydefined
SinglepointofIngresstowirednetwork
CAPWAP Control & Data
Local mode AP
Traditional switches
EoIP Tunnel
CUWN Architecture - CentralizedOverview
2
WLC
DHCPDNSNTPSMTP
AAAADLDAPMDM
IPAM
SWDMZ
InternetWAN
Architecture Benefits:• Overlay: works on any wired network• Centralized Management / Lean IT• Branch cookie cutter configuration• Distributed data plane• Reduced hardware footprint at the branch• Built-in resiliency (WAN survivability for locally
switched traffic)
Customers may NOT like:• Separated policies for wired and wireless • Different enforcement point for wired and wireless• No Layer 3 roaming support• Limited seamless roaming scope (FlexConnect
Group)• Additional configuration on the access switch (trunk
and allowed VLANs)
CentralizedManagementforall
branches
DistributedDataplane
DataCenter
Branch
NoControlleratthebranch
CAPWAPControl&Data
FlexmodeAP
Traditionalswitches
dot1qtrunk
CUWN Architecture - FlexConnectOverview
3
CA Network
WLC
Switch1 Switch2
WLCDHCP
DNSNTPSMTP
AAAADLDAPMDM
IPAM
SWDMZ
Architecture Benefits• Distributed Data Plane: scalability• One Policy enforcement point for wired• Reduced HW footprint and less devices
to manage (branch is the sweet spot)• One common software• Policies enforced at the edge• Wireless traffic visibility at the edge• Easy wireless Guest tunneling solution
Customers may NOT like:• Distributed Management plane• Multiple wireless touch points• Wired and wireless software
dependencies• Anchoring solutions for seamless
mobility• Support for Local mode AP only• Lack of feature parity with CUWNSSID
Employee
SSIDGuest
SwitchisthePolicyEnforcementforwired
andwireless
GuestTunnelthroughtheMC
Packettowired
Forroaming,trafficisanchoredbacktothe
originalswitch
AnchorWLC
MC MAMAMA
CAPWAPControl&Data
LocalmodeAP
SwitchwithMobilityAgent
MAtoMAtunnels
MA
EoIPtunnel
Internet
Converged Access ArchitectureOverview
4
Enterprise NetworkPAYLOADDATA IPSRC IPDSTPROTDST
PORTSRCPORTDSCP
• OnlyTransitiveinformation• Survivesendtoend
Policyisbasedon“5Tuple”
• QoS
• Security
• Redirect/copy
• Traffic engineering
• etc.
Network Policy
What is the Problem?Policy Model Today
5
Enterprise NetworkPAYLOADDATA IPSRC IPDSTPROTDST
PORTSRCPORTDSCP
User/deviceinfo?
Network Policy
IP ADDRESSES
§ Locateyou§ Identifyyou§ Drive“treatment”§ Constrainyou
IPAddress“meaning”OVERLOAD
VLAN 10
SSID B
SSID A
VLAN 20
VLAN 40
SSID D
SSID C
VLAN 30
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
What is the Problem?Policy Model Today
6
L2 Switch
L3 Switch
Trunks
Trunk
BYOD Employee Contractor
One SSID
ProductionServers
AAA
DHCP
WLAN
DeveloperServers
LAN Core
Multiple Steps and Touch Points
1. Define Groups in AD
2. Define Policies§ VLAN/subnet based
3. Implement VLANs/Subnets§ Create VLANs§ Define DHCP scope§ Create subnets and L3 interfaces§ Routing for new subnets§ Map SSID to Interface/VLAN
4. Implement Policy§ Define ACLs§ Apply ACLs
5. Many different User Interfaces
AAA WLC Devices CLI
….
What is the Problem?User Group policy rollout - Today
What if You Need to Add Another Group & Policy?
AD
7
What is the Problem?User Group policy rollout - Today
§ Customer Policy requirements:
Customer requirements
CustomerPolicy
§ Three user Groups§ One single SSID§ Differentiated policies per Group§ Guest segmentation (wired and wireless)
Employee
BYOD
Contractor
Production Serv. Developer Serv.
L2 Switch
L3 Switch
Trunks
Trunk
BYOD Employee Contractor
One SSID
ProductionServers
AAA
DHCP
AD
WLC
DeveloperServers
LAN Core
NetworkTouch Points
8
SD-Access Wireless Architecture
BRKEWN-
SD-Access Fabric ArchitectureRoles and Terminology
ISE / AD
§ Control-Plane (CP) Node – Map System that manages Endpoint ID to Location relationships.Also known as Host Tracking DB (HTDB)
§ Edge Nodes – A Fabric device (e.g.. Access or Distribution) that connects wired endpoints to the SDA Fabric
§ Group Repository – External ID Services (e.g.. ISE) is leveraged for dynamic User or Device to Group mapping and policy definition
§ Border Nodes – A Fabric device (e.g.. Core) that connects External L3 network(s) to the SDA Fabric
Group Repository
SD-Access Fabric
Intermediate Nodes (Underlay)
Fabric Mode WLC
Fabric Edge Nodes
§ DNA Controller – Enterprise SDN Controller provides GUI management abstraction via multiple Service Apps, which share informationDNA
Controller
CControl-Plane
Nodes
B
§ Fabric Wireless Controller – Wireless Controller (WLC) fabric-enabled, participate in LISP control planeFabric
Mode APs§ Fabric Mode APs – Access Points that are
fabric-enabled. Wireless traffic is VXLAN encapsulated at AP
Fabric Border
B
10
SD-Access Wireless ArchitectureBringing the best of both architectures by...
1
2
3
Simplifying the Control & Management Plane
Optimizing the Data Plane
Integrating Policy & Segmentation E2E
11
SD-Access Wireless ArchitectureSimplifying the Control Plane
ISE / AD
WLC
DNAC
SD-AccessFabric
BB
Policy Abstraction and Configuration Automation
Automation§ DNAC simplifies the Fabric deployment, § Including the wireless integration component
C
Fabric enabled WLC:WLC is part of LISP control plane
Centralized Wireless Control Plane§ WLC still provides client session management§ AP Mgmt, Mobility, RRM, etc.§ Same operational advantages of CUWN
CAPWAPCntrl plane
LISPCntrl plane
1
LISP control plane Management§ WLC integrates with LISP control plane§ WLC updates the CP for wireless clients§ Mobility is integrated in Fabric thanks to LISP CP
12
ISE / AD
WLC
DNAC
SD-AccessFabric
BB
Policy Abstraction and Configuration Automation
C
Fabric enabled WLC:WLC is part of LISP control plane
VXLAN from the AP§ Carrying hierarchical policy segmentation starting
from the edge of the network
Optimized Distributed Data Plane § Fabric overlay with Anycast GW + Stretched subnet§ VLAN extension with no complications§ All roaming are Layer 2Fabric enabled AP:
AP encapsulates Fabric SSID traffic in VXLAN
CAPWAPCntrl plane
VXLANData plane
LISPCntrl plane
VXLAN (Data Plane)
2SD-Access Wireless ArchitectureOptimizing the Data Plane
Automation§ DNAC simplifies the Fabric deployment, § Including the wireless integration component
Centralized Wireless Control Plane§ WLC still provides client session management§ AP Mgmt, Mobility, RRM, etc.§ Same operational advantages of CUWN
LISP control plane Management§ WLC integrates with LISP control plane§ WLC updates the CP for wireless clients§ Mobility is integrated in Fabric thanks to LISP CP
13
SD-Access Wireless ArchitectureOptimizing the Data Plane: Stretched subnets – A Closer Look
§ Fabric mode AP is a local mode AP and needs to be directly connected to FE
§ CAPWAP control plane goes to the WLC using Fabric
§ Fabric is enabled per SSID:• For Fabric enabled SSID, AP converts 802.11 traffic to 802.3 and
encapsulates it into VXLAN encoding VNI and SGT info of the client
• Forwards client traffic based on forwarding table as programmed by the WLC. Usually VXLAN DST is first hop switch.
§ AP applies all wireless specific feature like SSID policies, AVC, QoS, etc.
Fabric Mode AP integrates with the VXLAN Data PlaneWireless Data Plane is distributed across APs
2
VXLAN (Data)
CAPWAPControl plane
14
SD-Access Wireless ArchitectureSimplifying policy and Segmentation
SD Fabric
BCVXLAN
(Data)
IPpayload 802.11IP
IPpayload 802.3EIDIP VXLAN underlay
IPUDP
AP removes the 802.11 header
AP adds the 802.3/VXLAN/underlay IP header
2
1
3
FE A
FE B
15
SD-Access Wireless ArchitectureSimplifying policy and Segmentation
SD Fabric
BCVXLAN
(Data)
IPpayload 802.3EIDIP VXLAN underlay
IPUDP
2
R ClientSGT Client VRF R
APs embed the Policy information in the VXLAN header and forwards it
Hierarchical Segmentation:1. Virtual Network (VN) == VRF - isolated Control Plane + Data Plane2. Scalable Group Tag (SGT) – User Group identifier
3
FE A
FE B
16
SD-Access Wireless ArchitectureSimplifying policy and Segmentation
SD Fabric
BCVXLAN
(Data)
IPpayload 802.3EIDIP VXLAN underlay
IPUDP
FE removes the outer IP header, looks at the L2 VNID and maps it to the VLAN and L2 LISP instance.
Then encapsulates to the destination FE
3
Client is placed in the right VRF
3
FE A
FE B
17
SD-Access Wireless ArchitectureSimplifying policy and Segmentation
SD Fabric
BCVXLAN
(Data)
IPpayload 802.3EIDIP VXLAN underlay
IPUDP
FE removes the outer IP header, looks at the L2 VNID maps it to the VLAN.
Also looks at the SGT and apply the policy before forwarding the packet
4
SGT policy is applied
Client Policy is carried end to end in the
overlay
3
FE A
FE B
18
L3 Switch
LAN core
Touch Point
1. Define Groups in AD
2. Design and Deploy in DNA-C§ Create Virtual Network for Corporate§ Define Policies
• Role/Group based§ Apply Policies
• SGT based
3. Upon user authentication, Policy is automatically applied and carried end to end
TrunkWLC
DNA Center
L3 Switch
VNID BYOD SGT VXN
HDRFabricSRC
Fabric DSTEmployeeContractor
Original packet
BYOD Employee Contractor
One SSID
ProductionServers
DeveloperServers
AAA
DHCP
AD
EmployeeSGT 100
BYODSGT 200
ContractorSGT 300
Production Serv.SGT 10
Developer Serv.SGT 20
Corporate VN
SD-Access Wireless Benefits User Group policy rollout
19
L3 Switch
LAN core
Touch Point
1. Define Groups in AD
2. Design and Deploy in DNA-C§ Create Virtual Network for Corporate§ Define Policies
• Role/Group based§ Apply Policies
• SGT based
3. Upon user authentication, Policy is automatically applied and carried end to end
TrunkWLC
DNA Center
L3 Switch
BYOD Employee Contractor
One SSID
ProductionServers
DeveloperServers
AAA
DHCP
AD
EmployeeSGT 100
BYODSGT 200
ContractorSGT 300
Production Serv.SGT 10
Developer Serv.SGT 20
Corporate VN
SD-Access Wireless Benefits User Group policy rollout
Guest Virtual Network
IoT/HVAC Virtual Network
One Touch Point
20
DEMO
SDA Wireless AutomationInstall of new AP
SDA WirelessSite and Profiles
SDA Guest Creation of a Guest Network
What products make this Architecture?
BRKEWN-
3504 WLC
• AIR-CT3504• 1G/mGig• AireOS 8.5+
SD-Access – Fabric WirelessPlatform Support
Wave 2 APs
• 1800/2800/3800• 11ac Wave2 APs• 1G/MGIG RJ45• AireOS 8.5+
5520 WLC
• AIR-CT5520• No 5508• 1G/10G SFP+• AireOS 8.5+
8540 WLC
• AIR-CT8540• 8510 supported• 1G/10G SFP+• AireOS 8.5+
Wave 1 APs
• 1700/2700/3700• 11ac Wave1 APs*• 1G RJ45• AireOS 8.5+
*with CaveatsNEW
26
SD-Access Wireless
Design Considerations
ISE / AD
SD-Access Fabric
C
BB
APIC-EM ISE / AD
SD-Access Fabric
C
BB
APIC-EM
Wireless Integration in SDA FabricSD-Access WirelessCUWN wireless Over The Top (OTT)
VS.
Non-Fabric WLC
Non-Fabric APs
Fabric enabledAPs
Fabric enabled WLC
§ CAPWAP for Control Plane and Data Plane§ SDA Fabric is just a transport§ Supported on any WLC/AP software and hardware§ Migration step to full SDA
§ CAPWAP Control Plane, VXLAN Data plane§ WLC/APs integrated in Fabric, SD-Access advantages§ Requires software upgrade (8.5+)§ Optimized for 802.11ac Wave 2 APs
CAPWAPCntrl & Data
CAPWAPCntrl plane
VXLANData plane
CUWN Over the Top (OTT)
• Definition:• Wireless OTT: this CAPWAP wireless overlay to Fabric: traditional CAPWAP
deployment connected to Fabric overlay. Fabric is a transport for CAPWAP
• Why wireless OTT?• Migration step: customers wants/need to first migrate wired (different Ops teams
managing wired and wireless, get familiar with Fabric, different buying cycles, etc.)• Longer term solution: customer doesn’t want/cannot migrate to Fabric (new software,
no 802.11n, wireless too critical to make changes)
SD-Access Fabric
Non Fabric AP Non Fabric WLC
CAPWAP tunnel
Key Takeaways
BRKEWN-
BRKEWN-
31
SDA for MobilityInnovate Faster with Fabric-Enabled Wireless
Software Defined Wireless§ Centralized management across wired-wireless
§ Secure Policy based Automation
§ Optimized distributed traffic flows for future scalability
§ Simplified enablement of Wi-Fi Services
Simplified Provisioning
Optimized data plane with Campus-Wide Roaming
Wired and Wireless Policy Consistency
Seamless L2 roam across Campus
Policy stays with user
Consistent Policy for Wired/Wireless
Easy end to end Virtualization and Segmentation
DNA Center
Thank you